Skip to content

memory leak in dns_message_checksig function - SIG(0) without view

Reproduced using code from !5923 (merged) commit 4a3aa7abc8fb0610a807dcbd5ca34af1b332d97e.

It was caught by AFL fuzzer when tests were crashing wildly.

AFL output:

  american fuzzy lop ++4.02c {default} (.libs/lt-dns_message_checksig) [fast]
┌─ process timing ────────────────────────────────────┬─ overall results ────┐
│        run time : 0 days, 0 hrs, 0 min, 26 sec      │  cycles done : 14    │
│   last new find : 0 days, 0 hrs, 0 min, 0 sec       │ corpus count : 117   │
│last saved crash : 0 days, 0 hrs, 0 min, 4 sec       │saved crashes : 27    │
│ last saved hang : none seen yet                     │  saved hangs : 0     │
├─ cycle progress ─────────────────────┬─ map coverage┴──────────────────────┤
│  now processing : 31.274 (26.5%)     │    map density : 0.31% / 1.41%      │
│  runs timed out : 0 (0.00%)          │ count coverage : 1.45 bits/tuple    │
├─ stage progress ─────────────────────┼─ findings in depth ─────────────────┤
│  now trying : havoc                  │ favored items : 60 (51.28%)         │
│ stage execs : 117/220 (53.18%)       │  new edges on : 76 (64.96%)         │
│ total execs : 1.62M                  │ total crashes : 158 (27 saved)      │
│  exec speed : 61.6k/sec              │  total tmouts : 0 (0 saved)         │
├─ fuzzing strategy yields ────────────┴─────────────┬─ item geometry ───────┤
│   bit flips : disabled (default, enable with -D)   │    levels : 8         │
│  byte flips : disabled (default, enable with -D)   │   pending : 27        │
│ arithmetics : disabled (default, enable with -D)   │  pend fav : 0         │
│  known ints : disabled (default, enable with -D)   │ own finds : 114       │
│  dictionary : n/a                                  │  imported : 0         │
│havoc/splice : 93/655k, 48/959k                     │ stability : 99.27%    │
│py/custom/rq : unused, unused, unused, unused       ├───────────────────────┘
│    trim/eff : 32.43%/2274, disabled                │          [cpu000: 25%]
└────────────────────────────────────────────────────┘^C

+++ Baking aborted by the chef +++
[+] We're done here. Have a nice day!

Reproducer:

autoreconf -fiv
CC='afl-clang-fast' CFLAGS='-O2 -march=native' CPPFLAGS='-D_FORTIFY_SOURCE=0' ./configure --enable-fuzzing=afl
make
cd fuzz
make check  # fails, but nevermind
./dns_message_checksig

This will print a message with a value you sound set in the next step. E.g.

Warning: AFL++ tools might need to set AFL_MAP_SIZE to 67237 to be able to run this instrumented program if this crashes!

Go on:

AFL_MAP_SIZE=67237 afl-fuzz -i dns_message_checksig.in -o dns_message_checksig.out .libs/lt-dns_message_checksig

💥

Versions used:

$ pacman -Q afl clang
aflplusplus 4.02c-1
clang 14.0.6-2
BIND 90949da78f048eca660417906a25165de676e8c1
Edited by Petr Špaček
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information